Re: [Samba] LDAP: What has changed between 3.0.11 and 3.0.20
Hi, I had a similar problem with groups. After I've tried every know possibility that I knew, I have just copied the data from the TEST LDAP PDC server which was a Celeron 433 with 128 MB of RAM to a production server Xeon 2.4 with 2GB of RAM. Surprisingly everything works fine now on the new server showing all the groups. So it was an hardware issue. But maybe this hints will help: - bigger chacesize in sladp.conf - try to avoid that the user with id 0 is the same in /etc/pass. Use instead administrator in LDAP than root. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 28.10.2005 19:42 To samba@lists.samba.org cc Subject [Samba] LDAP: What has changed between 3.0.11 and 3.0.20 Hi, I recently upgraded our PDC to Samba 3.0.20 from 3.0.11. Unfortunately the user manager (usrmgr.exe) does not show all the users anymore. I cannot find the real culprit yet, but: Oct 28 19:18:08 [slapd] conn=2886 op=8 SRCH base=ou=people,dc=aub.nl,dc=aub,dc=nl scope=2 deref=0 filter=((uid=*)(objectClass=sambaSamAccount))_ Oct 28 19:18:08 [slapd] conn=2886 op=8 SRCH attr=uid sambaSid displayName description sambaAcctFlags_ Oct 28 19:18:08 [slapd] conn=2886 op=8 SEARCH RESULT tag=101 err=0 nentries=117 text=_ Oct 28 19:18:08 [slapd] conn=2886 op=9 SRCH base=dc=aub.nl,dc=aub,dc=nl scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaGroupType=4))_ Oct 28 19:18:08 [slapd] conn=2886 op=9 SRCH attr=cn sambaSid displayName description sambaGroupType_ shows that all entries are initially returned. After that Samba goes out to find the groups. It seems to me that something goes wrong here but I am not sure. Did something change so dramatically between 3.0.11 and 3.0.20, that I should have adjusted my config or directory (I am not using ldap filter) or is this something else? Kind regards, B. de Bruin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbmount codepage/iocharset settings vs NT4
Hi, I'm in the process of setting up a backup server for a somewhat antiquated NT4 server. Backup server is CentOS-4 (~ RHEL-4), kernel-2.6.9-11.EL, samba-client-3.0.10-1.4E, rsync-2.6.3-1, LANG=en_US.UTF-8. NT4 shares are mounted on the server and rsynced to local disk. This setup is working pretty well, however on the NT box there are some files with names containing odd characters like accented characters and ellipsis. I'm a bit at a loss as to the correct settings of the smbmount iocharset and codepage parameters to use, and whether the display charset and unix charset options in smb.conf are relevant to the mounts. I've setup a test share. An ls in smbclient gives me the correct output in a gnome-terminal and an mget gets me the files with their correctly utf8itfied names (console seemed ok until after a toggle to X): $ smbclient -U auser //david-bowie/Test Password: Domain=[EVERYTHING] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] smb: \ ls . D0 Sat Oct 29 18:58:49 2005 .. D0 Sat Oct 29 18:58:49 2005 ellipsis zijn heel fijn (…).doc A24064 Sat Oct 29 18:57:14 2005 Nogmaals ellipsis ….doc A24064 Sat Oct 29 18:58:31 2005 één document á €50.doc A24064 Sat Oct 29 18:55:28 2005 één document.doc A24064 Sat Oct 29 18:54:20 2005 ‘‰’.doc A24064 Sat Oct 29 18:57:55 2005 “quotes”.docA24064 Sat Oct 29 18:53:40 2005 52004 blocks of size 262144. 2165 blocks available However, an smbmount without any charset options gives me the following result: $ sudo mount -o username=auser //david-bowie/Test /mnt/tmp Password: $ ls /mnt/tmp `%'.doc ??n document.doc ellipsis zijn heel fijn (.).doc Nogmaals ellipsis ..doc ??n document ? ?50.doc quotes.doc Using cp850 improves the output somewhat: $ sudo mount -o username=auser,codepage=cp850 //david-bowie/Test /mnt/tmp Password: $ ls /mnt/tmp `%'.doc ellipsis zijn heel fijn (.).doc één document á ?50.doc Nogmaals ellipsis ..doc één document.docquotes.doc I assumed the code page used by NT4 was cp1252 (MS-ANSI), but using cp1252 for the codepage gives me the same output for these files as the mount with no codepage option set. To make a long story short: What are the proper options to pass to smbmount and/or set in /etc/samba/smb.conf? Thanks, Leonard. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbmount codepage/iocharset settings vs NT4
Hello Andrew, On Mon, 2005-10-31 at 08:34 +1100, Andrew Bartlett wrote: This setup is working pretty well, however on the NT box there are some files with names containing odd characters like accented characters and ellipsis. I'm a bit at a loss as to the correct settings of the smbmount iocharset and codepage parameters to use, and whether the display charset and unix charset options in smb.conf are relevant to the mounts. You should use the CIFS VFS for your backup operations, as it will correctly use unicode on the wire, and therefore allow a correct utf8 translation. smbfs is considered deprecated, and certainly should not be used for new installations. Ok. $ sudo mount -t cifs -o username=auser //david-bowie/Test /mnt/tmp Password: [EMAIL PROTECTED] ~]$ ls /mnt/tmp één document á €50.doc ellipsis zijn heel fijn (…).doc ‘?颂ꋩ?? één document.docNogmaals ellipsis ….doc “???鲂닩? That indeed solves the issue for the more common cases. Luckily in real life I don't have to deal with these cases but what about the below 2 file names? They are printed correctly in smbclient. ‘‰’.doc A24064 Sat Oct 29 18:57:55 2005 “quotes”.docA24064 Sat Oct 29 18:53:40 2005 Leonard. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbmount codepage/iocharset settings vs NT4
On Sun, 2005-10-30 at 23:08 +0100, Leonard den Ottolander wrote: Hello Andrew, On Mon, 2005-10-31 at 08:34 +1100, Andrew Bartlett wrote: This setup is working pretty well, however on the NT box there are some files with names containing odd characters like accented characters and ellipsis. I'm a bit at a loss as to the correct settings of the smbmount iocharset and codepage parameters to use, and whether the display charset and unix charset options in smb.conf are relevant to the mounts. You should use the CIFS VFS for your backup operations, as it will correctly use unicode on the wire, and therefore allow a correct utf8 translation. smbfs is considered deprecated, and certainly should not be used for new installations. Ok. $ sudo mount -t cifs -o username=auser //david-bowie/Test /mnt/tmp Password: [EMAIL PROTECTED] ~]$ ls /mnt/tmp één document á €50.doc ellipsis zijn heel fijn (…).doc ‘?颂ꋩ?? één document.docNogmaals ellipsis ….doc “???鲂닩? That indeed solves the issue for the more common cases. Luckily in real life I don't have to deal with these cases but what about the below 2 file names? They are printed correctly in smbclient. ‘‰’.doc A24064 Sat Oct 29 18:57:55 2005 “quotes”.docA24064 Sat Oct 29 18:53:40 2005 This will be smbclient correctly finding your 'display charset' (localle) from the environment which the cifsvfs can't tell from kernel space. You should use UTF8 everywhere if possible. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbmount codepage/iocharset settings vs NT4
On Sun, Oct 30, 2005 at 11:08:06PM +0100, Leonard den Ottolander wrote: Hello Andrew, On Mon, 2005-10-31 at 08:34 +1100, Andrew Bartlett wrote: This setup is working pretty well, however on the NT box there are some files with names containing odd characters like accented characters and ellipsis. I'm a bit at a loss as to the correct settings of the smbmount iocharset and codepage parameters to use, and whether the display charset and unix charset options in smb.conf are relevant to the mounts. You should use the CIFS VFS for your backup operations, as it will correctly use unicode on the wire, and therefore allow a correct utf8 translation. smbfs is considered deprecated, and certainly should not be used for new installations. Ok. $ sudo mount -t cifs -o username=auser //david-bowie/Test /mnt/tmp Password: [EMAIL PROTECTED] ~]$ ls /mnt/tmp één document á €50.doc ellipsis zijn heel fijn (…).doc ‘?颂ꋩ?? één document.docNogmaals ellipsis ….doc “???鲂닩? That indeed solves the issue for the more common cases. Luckily in real life I don't have to deal with these cases but what about the below 2 file names? They are printed correctly in smbclient. Log a bug with Steve French. He should be using similar unicode conversions as smbclient. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbmount codepage/iocharset settings vs NT4
Hello Andrew, On Mon, 2005-10-31 at 09:16 +1100, Andrew Bartlett wrote: On Sun, 2005-10-30 at 23:08 +0100, Leonard den Ottolander wrote: This will be smbclient correctly finding your 'display charset' (localle) from the environment which the cifsvfs can't tell from kernel space. You should use UTF8 everywhere if possible. LANG=en_US.UTF-8. Setting display charset and unix charset to UTF8 in smb.conf does not solve this. I'll consider filing a bug as Jeremy suggested. Right now I'm just going to be content :) . Thanks guys. Leonard. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbmount codepage/iocharset settings vs NT4
On Sun, 2005-10-30 at 23:32 +0100, Leonard den Ottolander wrote: Hello Andrew, On Mon, 2005-10-31 at 09:16 +1100, Andrew Bartlett wrote: On Sun, 2005-10-30 at 23:08 +0100, Leonard den Ottolander wrote: This will be smbclient correctly finding your 'display charset' (localle) from the environment which the cifsvfs can't tell from kernel space. You should use UTF8 everywhere if possible. LANG=en_US.UTF-8. Setting display charset and unix charset to UTF8 in smb.conf does not solve this. Just for clarification, that is because the CIFS VFS doesn't read our (userspace) smb.conf file, and smbclient didn't change because it was already on UTF8. I'll consider filing a bug as Jeremy suggested. Sounds like a bug to me. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc.http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Not all users correctly winbind-ing on Server 2003 SP1 with 3.0.20b
Hi all
This one has me baffled - leading me to beleive it could be a bug
similar to https://bugzilla.samba.org/show_bug.cgi?id=2695
I am running samba 3.0.20b on debian unstable and am having problems
with some users not resolving properly using winbind.
wbinfo -u shows all users on the system, no problem
wbinfo -a user%password works for any user
getent passwd shows most but not all users
For a user who isn't shown with getent, wbinfo -n will give me their
sid, but wbinfo -S {sid} returns Could not convert sid
S-1-5-21-997653320-332963777-2638616180-1106 to uid
I have 100 users on the Windows server. Only 81 are being correctly
resolved. I have tried removing the winbind_idmap.tdb file and getting
winbindd to rebuild it, but this makes no difference.
Here is a log of what I get when I run winbindd -SFi -d3 then getent passwd:
ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
Ticket in ccache[MEMORY:winbind_ccache] expiration Mon, 31 Oct 2005
23:47:43 GMT
ads: query_user_list
ads query_user_list gave 100 entries
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
59948
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1106
could not lookup domain user IWAM_DC1
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
59948
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1107
could not lookup domain user cba_anonymous
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
59864
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1185
could not lookup domain user WS0012$
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
60116
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1189
could not lookup domain user Room3
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
60032
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1195
could not lookup domain user Room9
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
59780
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1209
could not lookup domain user WS0022$
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
60116
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1239
could not lookup domain user LMarychurch
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
59780
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1241
could not lookup domain user MWiggins
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
60116
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1242
could not lookup domain user LBurgess
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1249
could not lookup domain user LT0006$
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
59948
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1252
could not lookup domain user LT0008$
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1256
could not lookup domain user LT0010$
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_read bad magic 0x42424242 at
offset=
59780
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1258
could not lookup domain user LT0012$
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1261
could not lookup domain user issue
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid S-1-5-21-997653320-332963777-2638616180-1262
could not lookup domain user Search
tdb(/var/lib/samba/winbindd_idmap.tdb): rec_free_read bad magic
0x42424242 at of
fset=60200
error getting user id for sid
[Samba] Error while executing smbd in unix x86 workstation
Hi All,
I've install Unix version 9.0 in my pc (intel workstation). I've configure
network connection, file share, samba and etc.
The samba package are samba-3.0.21pre1-1-noads-sunos5.9-sparc.pkg.gz. I
encountered the following error while executing smbd. Please advise.
Error:
./smbd: syntax error at line1: '(' unexpected
Thanks in advance.
Regards,
Alan
-
Yahoo! FareChase - Search multiple travel sites in one click.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain groups with spaces in their names
Gerald (Jerry) Carter wrote: I have a Samba file server which I have successfully joined to a domian controlled by a Windows 2003 domian controller. I cannot get the server to allow access to users who are members of a group with spaces in its name. I have the same problem with Samba version 3.20b. What is interesting is that groups with spaces in the name work through Winbind (ie. apache with mod_auth_pam), but don't work from within Samba (ie. the smb.conf file). Is this currently being resolved, and/or is there a work around? valid users = @spaced users Should be valid users = +DOMAIN\spaced users The key is that domain users and groups have to be fully qualified. I've tested with every variation of syntax ie. , + and @, DOMAIN\, domain\, Domain\, etc. Things work consistently when I change the the group name to group_name or DOMAIN\group_name. But, when I use either with a space in the name I get authentication errors (smbd only). The log files list the correct fully qualified domain group name and the user name, but then say that the member does not belong to that group. The reason I've posted here is that winbindd (using PAM and Apache) seems to be fine with the spaces in the name. I'm using realm = fqdn.domainname.com workgroup = DOMAINNAME winbind use default domain = yes If you need more detailed logs, please let me know. BTW this is with a Windows 2003 Active Directory domain controller. Cheers, Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Roaming and local profiles EXTRANGE problem!!
- Original Message - From: Daniel Ruiz Jimenez To: samba@lists.samba.org Sent: Saturday, October 29, 2005 6:44 PM Subject: Roaming and local profiles EXTRANGE problem!! Hi, I'm from Spain, and my name is Daniel. I am desesperated by a problem with samba, and i don't find any solution in google, forums, and so. I know that you are really tired about stupid questions from beginners or not beginners, but I really need somebody to help me!!! The problem is: My clients (winXP and 2000) logged ok on my samba domain. They load their roaming profile, all ok. But ... something strange happens!!! They load BOTH roaming and LOCAL profiles!! This makes that old copies from their profiles (for example, if they didn't access many time ago to a determinate client) are load, like old documents erased from other client. I found a solution, delete the local profile from clients by a group directive... but my bosses don't like this solution... I'm really desesperated... :( Please help me... thanks My clients are win XP with SP2 and Win2000 with SP4.I's using samba 3. I post my smb.conf: [global] workgroup = MICASA server string = Controlador de Dominio passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u log file = /var/log/samba/log.%m max log size = 1000 time server = Yes domain logons = Yes os level = 34 preferred master = Yes domain master = Yes wins support = Yes [homes] comment = Home Directories read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon write list = root browseable = No [profiles] comment = User profiles share path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No profile acls = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] getpwnam user not on domain
I wonder anyone has came across this problem I have facing. Currently running 3.0.20b as member of W2K3 AD, I have a third party educational software that runs from a samba share which is available for all students. Somehow, I find that CPU is running high in % with server slowing down and winbind users not resolving properly to username from GID. I notice that a lot of these messages are generated: getpwnam ANDREW LEGGETT.VARNDEAN.000 It seems to me there is a peace of coding in the applicaton that run as/by user 'Andrew Leggett' and winbind is complaining it doesn't not exist on the domain which obviously is the case. Can anyone has clue how I can disable getpwnam user 'unknown' to the domain? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
svn commit: samba r11400 - in branches/SAMBA_4_0/source/auth: gensec kerberos
Author: metze Date: 2005-10-30 10:39:52 + (Sun, 30 Oct 2005) New Revision: 11400 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11400 Log: fix compiler warnings metze Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c branches/SAMBA_4_0/source/auth/kerberos/kerberos.h Changeset: Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c === --- branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c 2005-10-30 00:56:39 UTC (rev 11399) +++ branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c 2005-10-30 10:39:52 UTC (rev 11400) @@ -175,7 +175,7 @@ const char *hostname; krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED; - char *principal; + const char *principal; krb5_data in_data; hostname = gensec_get_target_hostname(gensec_security); Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.h === --- branches/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-10-30 00:56:39 UTC (rev 11399) +++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-10-30 10:39:52 UTC (rev 11400) @@ -35,11 +35,11 @@ }; /* not really ASN.1, but RFC 1964 */ -#define TOK_ID_KRB_AP_REQ \x01\x00 -#define TOK_ID_KRB_AP_REP \x02\x00 -#define TOK_ID_KRB_ERROR \x03\x00 -#define TOK_ID_GSS_GETMIC \x01\x01 -#define TOK_ID_GSS_WRAP\x02\x01 +#define TOK_ID_KRB_AP_REQ ((const uint8_t *)\x01\x00) +#define TOK_ID_KRB_AP_REP ((const uint8_t *)\x02\x00) +#define TOK_ID_KRB_ERROR ((const uint8_t *)\x03\x00) +#define TOK_ID_GSS_GETMIC ((const uint8_t *)\x01\x01) +#define TOK_ID_GSS_WRAP((const uint8_t *)\x02\x01) #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE #define KRB5_KEY_TYPE(k) ((k)-keytype)
Build status as of Mon Oct 31 00:00:01 2005
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2005-10-30 00:00:39.0 + +++ /home/build/master/cache/broken_results.txt 2005-10-31 00:00:06.0 + @@ -1,17 +1,17 @@ -Build status as of Sun Oct 30 00:00:01 2005 +Build status as of Mon Oct 31 00:00:01 2005 Build counts: Tree Total Broken Panic ccache 10 3 0 distcc 9 2 0 lorikeet-heimdal 34 34 0 -ppp 17 1 0 -rsync37 3 0 +ppp 17 0 0 +rsync31 2 0 samba3 0 0 samba-docs 0 0 0 -samba4 34 27 5 -samba_3_038 6 0 -smb-build25 3 0 -talloc 36 14 0 -tdb 36 5 0 +samba4 33 27 5 +samba_3_037 5 0 +smb-build25 2 0 +talloc 35 14 0 +tdb 8 3 0
svn commit: samba r11401 - in branches/SAMBA_4_0/source/auth/credentials: .
Author: abartlet
Date: 2005-10-31 00:23:38 + (Mon, 31 Oct 2005)
New Revision: 11401
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11401
Log:
A simple hack to have our central credentials system deny sending LM
authentication for [EMAIL PROTECTED] logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/credentials/credentials.c
branches/SAMBA_4_0/source/auth/credentials/credentials.h
branches/SAMBA_4_0/source/auth/credentials/credentials_files.c
branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.c
===
--- branches/SAMBA_4_0/source/auth/credentials/credentials.c2005-10-30
10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials.c2005-10-31
00:23:38 UTC (rev 11401)
@@ -52,6 +52,7 @@
cred-old_password = NULL;
cred-smb_krb5_context = NULL;
cred-salt_principal = NULL;
+ cred-machine_account = False;
return cred;
}
Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.h
===
--- branches/SAMBA_4_0/source/auth/credentials/credentials.h2005-10-30
10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials.h2005-10-31
00:23:38 UTC (rev 11401)
@@ -84,4 +84,7 @@
* secrets.ldb when we are asked for a username or password */
BOOL machine_account_pending;
+
+ /* Is this a machine account? */
+ BOOL machine_account;
};
Modified: branches/SAMBA_4_0/source/auth/credentials/credentials_files.c
===
--- branches/SAMBA_4_0/source/auth/credentials/credentials_files.c
2005-10-30 10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials_files.c
2005-10-31 00:23:38 UTC (rev 11401)
@@ -197,6 +197,9 @@
/* ok, we are going to get it now, don't recurse back here */
cred-machine_account_pending = False;
+ /* some other parts of the system will key off this */
+ cred-machine_account = True;
+
mem_ctx = talloc_named(cred, 0, cli_credentials fetch machine
password);
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
Modified: branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c
===
--- branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c
2005-10-30 10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c
2005-10-31 00:23:38 UTC (rev 11401)
@@ -56,6 +56,18 @@
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, user, domain);
+ /* If we are sending a [EMAIL PROTECTED] login (see function
+* above), then we will not send LM, it will not be
+* accepted */
+ if (cred-principal_obtained cred-username_obtained) {
+ *flags = *flags ~CLI_CRED_LANMAN_AUTH;
+ }
+
+ /* Likewise if we are a machine account (avoid protocol downgrade
attacks) */
+ if (cred-principal_obtained cred-username_obtained) {
+ *flags = *flags ~CLI_CRED_LANMAN_AUTH;
+ }
+
if (!nt_hash) {
static const uint8_t zeros[16];
/* do nothing - blobs are zero length */
svn commit: samba r11402 - in branches/SAMBA_4_0/source: librpc/idl rpc_server/netlogon torture/rpc
Author: abartlet Date: 2005-10-31 02:12:13 + (Mon, 31 Oct 2005) New Revision: 11402 WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11402 Log: In response to comments by volker, expand our Netlogon DsRGetDCName IDL and testsuites. The server-side of this remains a stub, we should probably be doing ldb searches for the server reference record. Andrew Bartlett Modified: branches/SAMBA_4_0/source/librpc/idl/netlogon.idl branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c branches/SAMBA_4_0/source/torture/rpc/netlogon.c Changeset: Sorry, the patch is too large (395 lines) to include; please use WebSVN to see it! WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11402
svn commit: samba r11403 - in branches/SAMBA_4_0/source/lib/ldb/ldb_ildap: .
Author: tridge
Date: 2005-10-31 02:13:02 + (Mon, 31 Oct 2005)
New Revision: 11403
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11403
Log:
improved the error handling in the ildap ldb backend. Now passes
through all ldap errors except on search. Search errors are only
available via ldb_errstring() until we decide how to fix ldb_search().
Modified:
branches/SAMBA_4_0/source/lib/ldb/ldb_ildap/ldb_ildap.c
Changeset:
Modified: branches/SAMBA_4_0/source/lib/ldb/ldb_ildap/ldb_ildap.c
===
--- branches/SAMBA_4_0/source/lib/ldb/ldb_ildap/ldb_ildap.c 2005-10-31
02:12:13 UTC (rev 11402)
+++ branches/SAMBA_4_0/source/lib/ldb/ldb_ildap/ldb_ildap.c 2005-10-31
02:13:02 UTC (rev 11403)
@@ -32,17 +32,35 @@
#include includes.h
#include ldb/include/ldb.h
#include ldb/include/ldb_private.h
+#include ldb/include/ldb_errors.h
#include libcli/ldap/ldap.h
#include libcli/ldap/ldap_client.h
#include lib/cmdline/popt_common.h
struct ildb_private {
struct ldap_connection *ldap;
- NTSTATUS last_rc;
struct ldb_message *rootDSE;
+ struct ldb_context *ldb;
};
+
/*
+ map an ildap NTSTATUS to a ldb error code
+*/
+static int ildb_map_error(struct ildb_private *ildb, NTSTATUS status)
+{
+ if (NT_STATUS_IS_OK(status)) {
+ return LDB_SUCCESS;
+ }
+ talloc_free(ildb-ldb-err_string);
+ ildb-ldb-err_string = talloc_strdup(ildb, ldap_errstr(ildb-ldap,
status));
+ if (NT_STATUS_IS_LDAP(status)) {
+ return NT_STATUS_LDAP_CODE(status);
+ }
+ return LDB_ERR_OPERATIONS_ERROR;
+}
+
+/*
rename a record
*/
static int ildb_rename(struct ldb_module *module, const struct ldb_dn *olddn,
const struct ldb_dn *newdn)
@@ -52,19 +70,22 @@
int ret = 0;
char *old_dn;
char *newrdn, *parentdn;
+ NTSTATUS status;
/* ignore ltdb specials */
if (ldb_dn_is_special(olddn) || ldb_dn_is_special(newdn)) {
- return 0;
+ return LDB_SUCCESS;
}
local_ctx = talloc_named(ildb, 0, ildb_rename local context);
if (local_ctx == NULL) {
- return -1;
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto failed;
}
old_dn = ldb_dn_linearize(local_ctx, olddn);
if (old_dn == NULL) {
+ ret = LDB_ERR_INVALID_DN_SYNTAX;
goto failed;
}
@@ -72,26 +93,22 @@
newdn-components[0].name,
ldb_dn_escape_value(ildb,
newdn-components[0].value));
if (newrdn == NULL) {
+ ret = LDB_ERR_OPERATIONS_ERROR;
goto failed;
}
parentdn = ldb_dn_linearize(local_ctx, ldb_dn_get_parent(ildb, newdn));
if (parentdn == NULL) {
+ ret = LDB_ERR_INVALID_DN_SYNTAX;
goto failed;
}
- ildb-last_rc = ildap_rename(ildb-ldap, old_dn, newrdn, parentdn,
True);
- if (!NT_STATUS_IS_OK(ildb-last_rc)) {
- ldb_set_errstring(module, talloc_strdup(module,
ldap_errstr(ildb-ldap, ildb-last_rc)));
- ret = -1;
- }
+ status = ildap_rename(ildb-ldap, old_dn, newrdn, parentdn, True);
+ ret = ildb_map_error(ildb, status);
+failed:
talloc_free(local_ctx);
return ret;
-
-failed:
- talloc_free(local_ctx);
- return -1;
}
/*
@@ -102,20 +119,21 @@
struct ildb_private *ildb = module-private_data;
char *del_dn;
int ret = 0;
+ NTSTATUS status;
/* ignore ltdb specials */
if (ldb_dn_is_special(dn)) {
- return 0;
+ return LDB_SUCCESS;
}
del_dn = ldb_dn_linearize(ildb, dn);
-
- ildb-last_rc = ildap_delete(ildb-ldap, del_dn);
- if (!NT_STATUS_IS_OK(ildb-last_rc)) {
- ldb_set_errstring(module, talloc_strdup(module,
ldap_errstr(ildb-ldap, ildb-last_rc)));
- ret = -1;
+ if (del_dn == NULL) {
+ return LDB_ERR_INVALID_DN_SYNTAX;
}
+ status = ildap_delete(ildb-ldap, del_dn);
+ ret = ildb_map_error(ildb, status);
+
talloc_free(del_dn);
return ret;
@@ -135,6 +153,7 @@
int count, i;
struct ldap_message **ldapres, *msg;
char *search_base;
+ NTSTATUS status;
if (scope == LDB_SCOPE_DEFAULT) {
scope = LDB_SCOPE_SUBTREE;
@@ -163,11 +182,11 @@
return -1;
}
- ildb-last_rc = ildap_search_bytree(ildb-ldap, search_base, scope,
tree, attrs,
+ status = ildap_search_bytree(ildb-ldap, search_base, scope, tree,
attrs,
0, ldapres);
talloc_free(search_base);
- if (!NT_STATUS_IS_OK(ildb-last_rc)) {
-
svn commit: samba r11404 - in branches/SAMBA_4_0/source: include libcli/util torture/rpc
Author: abartlet
Date: 2005-10-31 02:46:15 + (Mon, 31 Oct 2005)
New Revision: 11404
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11404
Log:
Another torture test and a new WERR.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/include/doserr.h
branches/SAMBA_4_0/source/libcli/util/doserr.c
branches/SAMBA_4_0/source/torture/rpc/netlogon.c
Changeset:
Modified: branches/SAMBA_4_0/source/include/doserr.h
===
--- branches/SAMBA_4_0/source/include/doserr.h 2005-10-31 02:13:02 UTC (rev
11403)
+++ branches/SAMBA_4_0/source/include/doserr.h 2005-10-31 02:46:15 UTC (rev
11404)
@@ -187,6 +187,7 @@
#define WERR_NO_MORE_ITEMS W_ERROR(259)
#define WERR_MORE_DATA W_ERROR(234)
#define WERR_CAN_NOT_COMPLETE W_ERROR(1003)
+#define WERR_INVALID_COMPUTERNAME W_ERROR(1210)
#define WERR_INVALID_DOMAINNAME W_ERROR(1212)
#define WERR_UNKNOWN_REVISION W_ERROR(1305)
#define WERR_REVISION_MISMATCH W_ERROR(1306)
Modified: branches/SAMBA_4_0/source/libcli/util/doserr.c
===
--- branches/SAMBA_4_0/source/libcli/util/doserr.c 2005-10-31 02:13:02 UTC
(rev 11403)
+++ branches/SAMBA_4_0/source/libcli/util/doserr.c 2005-10-31 02:46:15 UTC
(rev 11404)
@@ -72,6 +72,7 @@
{ WERR_UNKNOWN_REVISION, WERR_UNKNOWN_REVISION },
{ WERR_REVISION_MISMATCH, WERR_REVISION_MISMATCH },
{ WERR_INVALID_OWNER, WERR_INVALID_OWNER },
+ { WERR_INVALID_COMPUTERNAME, WERR_INVALID_COMPUTERNAME },
{ WERR_INVALID_DOMAINNAME, WERR_INVALID_DOMAINNAME },
{ WERR_NO_SUCH_USER, WERR_NO_SUCH_USER },
{ WERR_NO_SUCH_DOMAIN, WERR_NO_SUCH_DOMAIN },
Modified: branches/SAMBA_4_0/source/torture/rpc/netlogon.c
===
--- branches/SAMBA_4_0/source/torture/rpc/netlogon.c2005-10-31 02:13:02 UTC
(rev 11403)
+++ branches/SAMBA_4_0/source/torture/rpc/netlogon.c2005-10-31 02:46:15 UTC
(rev 11404)
@@ -1136,6 +1136,19 @@
ret = False;
}
}
+ r.in.computer_name = talloc_asprintf(mem_ctx, %s,
computer_name);
+ printf(Testing netr_DsRGetSiteName with broken computer name: %s\n,
r.in.computer_name);
+
+ status = dcerpc_netr_DsRGetSiteName(p, mem_ctx, r);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf(netr_DsRGetSiteName - %s\n,
+ nt_errstr(status));
+ ret = False;
+ } else if (!W_ERROR_EQUAL(r.out.result, WERR_INVALID_COMPUTERNAME)) {
+ printf(netr_DsRGetSiteName - incorrect error return %s,
expected %s\n,
+ win_errstr(r.out.result),
win_errstr(WERR_INVALID_COMPUTERNAME));
+ ret = False;
+ }
return ret;
}
svn commit: samba r11405 - in branches/SAMBA_4_0/source/torture/rpc: .
Author: abartlet
Date: 2005-10-31 02:58:29 + (Mon, 31 Oct 2005)
New Revision: 11405
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11405
Log:
Ensure we can never have secret4 be uninitialised. Found after
volker's urging on the use of -O1.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/torture/rpc/lsa.c
Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/lsa.c
===
--- branches/SAMBA_4_0/source/torture/rpc/lsa.c 2005-10-31 02:46:15 UTC (rev
11404)
+++ branches/SAMBA_4_0/source/torture/rpc/lsa.c 2005-10-31 02:58:29 UTC (rev
11405)
@@ -797,13 +797,13 @@
status = dcerpc_lsa_OpenSecret(p, mem_ctx, r2);
if (!NT_STATUS_IS_OK(status)) {
printf(OpenSecret failed - %s\n, nt_errstr(status));
- ret = False;
+ return False;
}
status = dcerpc_fetch_session_key(p, session_key);
if (!NT_STATUS_IS_OK(status)) {
printf(dcerpc_fetch_session_key failed - %s\n,
nt_errstr(status));
- ret = False;
+ return False;
}
enc_key = sess_encrypt_string(secret1, session_key);
@@ -820,7 +820,7 @@
status = dcerpc_lsa_SetSecret(p, mem_ctx, r3);
if (!NT_STATUS_IS_OK(status)) {
printf(SetSecret failed - %s\n, nt_errstr(status));
- ret = False;
+ return False;
}
r3.in.sec_handle = sec_handle;
@@ -916,12 +916,14 @@
if (!NT_STATUS_IS_OK(status)) {
printf(QuerySecret failed - %s\n, nt_errstr(status));
ret = False;
+ secret4 = NULL;
} else {
if (r6.out.new_val-buf == NULL || r6.out.old_val-buf
== NULL
|| r6.out.new_mtime == NULL || r6.out.old_mtime
== NULL) {
printf(Both secret buffers and both times not
returned\n);
ret = False;
+ secret4 = NULL;
} else {
blob1.data = r6.out.new_val-buf-data;
blob1.length = r6.out.new_val-buf-size;
svn commit: samba r11406 - in branches/SAMBA_4_0/source/torture/rpc: .
Author: abartlet
Date: 2005-10-31 03:00:36 + (Mon, 31 Oct 2005)
New Revision: 11406
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11406
Log:
Clean up uninitialised value warnings found by -01.
The warnings were caused by the structure assignements, which we don't
need to do. The actual values are filled in by the NDR layer later.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/torture/rpc/testjoin.c
Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/testjoin.c
===
--- branches/SAMBA_4_0/source/torture/rpc/testjoin.c2005-10-31 02:58:29 UTC
(rev 11405)
+++ branches/SAMBA_4_0/source/torture/rpc/testjoin.c2005-10-31 03:00:36 UTC
(rev 11406)
@@ -112,8 +112,6 @@
uint32_t rid;
DATA_BLOB session_key;
struct lsa_String name;
- struct lsa_String comment;
- struct lsa_String full_name;
int policy_min_pw_len = 0;
struct test_join *join;
@@ -243,15 +241,15 @@
u.info21.acct_flags = acct_type;
u.info21.fields_present = SAMR_FIELD_ACCT_FLAGS |
SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT | SAMR_FIELD_FULL_NAME;
- comment.string = talloc_asprintf(join,
-Tortured by Samba4: %s,
-timestring(join, time(NULL)));
- u.info21.comment = comment;
- full_name.string = talloc_asprintf(join,
-Torture account for Samba4: %s,
-timestring(join, time(NULL)));
- u.info21.full_name = full_name;
+ u.info21.comment.string = talloc_asprintf(join,
+ Tortured by Samba4: %s,
+ timestring(join, time(NULL)));
+
+ u.info21.full_name.string = talloc_asprintf(join,
+ Torture account for
Samba4: %s,
+ timestring(join,
time(NULL)));
+
u.info21.description.string = talloc_asprintf(join,
Samba4 torture account created by
host %s: %s,
lp_netbios_name(), timestring(join,
time(NULL)));
@@ -286,8 +284,6 @@
struct test_join *tj;
struct samr_SetUserInfo s;
union samr_UserInfo u;
- struct lsa_String comment;
- struct lsa_String full_name;
tj = talloc(NULL, struct test_join);
if (!tj) return NULL;
@@ -320,6 +316,7 @@
}
libnet_r-in.acct_type = acct_flags;
+ libnet_r-in.recreate_account = True;
status = libnet_JoinDomain(libnet_ctx, libnet_r, libnet_r);
if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
@@ -356,15 +353,13 @@
s.in.level = 21;
u.info21.fields_present = SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT |
SAMR_FIELD_FULL_NAME;
- comment.string = talloc_asprintf(tj,
-Tortured by Samba4: %s,
-timestring(tj, time(NULL)));
- u.info21.comment = comment;
- full_name.string = talloc_asprintf(tj,
-Torture account for Samba4: %s,
-timestring(tj, time(NULL)));
- u.info21.full_name = full_name;
-
+ u.info21.comment.string = talloc_asprintf(tj,
+ Tortured by Samba4: %s,
+ timestring(tj, time(NULL)));
+ u.info21.full_name.string = talloc_asprintf(tj,
+ Torture account for
Samba4: %s,
+ timestring(tj, time(NULL)));
+
u.info21.description.string = talloc_asprintf(tj,
Samba4 torture account
created by host %s: %s,
lp_netbios_name(),
timestring(tj, time(NULL)));
@@ -415,7 +410,6 @@
NTSTATUS torture_leave_ads_domain(TALLOC_CTX *mem_ctx, struct
libnet_JoinDomain *libnet_r)
{
- NTSTATUS status;
int rtn;
TALLOC_CTX *tmp_ctx;
@@ -474,7 +468,7 @@
DEBUG(0, (%s removed successfully.\n, libnet_r-out.server_dn_str));
talloc_free(tmp_ctx);
- return status;
+ return NT_STATUS_OK;
}
/*
svn commit: samba r11407 - in branches/SAMBA_4_0/source: libnet torture/rpc
Author: abartlet
Date: 2005-10-31 03:03:32 + (Mon, 31 Oct 2005)
New Revision: 11407
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11407
Log:
Push 'recreate account' logic into libnet/libnet_join.c. We don't
return the pesky USER_EXISTS 'error' code any more, and it is much
easier to handle this inline.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/libnet/libnet_join.c
branches/SAMBA_4_0/source/libnet/libnet_join.h
branches/SAMBA_4_0/source/torture/rpc/testjoin.c
Changeset:
Modified: branches/SAMBA_4_0/source/libnet/libnet_join.c
===
--- branches/SAMBA_4_0/source/libnet/libnet_join.c 2005-10-31 03:00:36 UTC
(rev 11406)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.c 2005-10-31 03:03:32 UTC
(rev 11407)
@@ -144,9 +144,9 @@
if (rtn != 0) {
libnet_r-out.error_string
= talloc_asprintf(libnet_r,
- Failed to add server entry %s: %s.,
+ Failed to add server entry %s: %s: %d,
server_dn_str,
- ldb_errstring(remote_ldb));
+ ldb_errstring(remote_ldb), rtn);
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -881,6 +881,36 @@
talloc_free(tmp_ctx);
return status;
}
+
+ if (r-in.recreate_account) {
+ struct samr_DeleteUser d;
+ d.in.user_handle = u_handle;
+ d.out.user_handle = u_handle;
+ status = dcerpc_samr_DeleteUser(samr_pipe, mem_ctx, d);
+ if (!NT_STATUS_IS_OK(status)) {
+ r-out.error_string = talloc_asprintf(mem_ctx,
+
samr_DeleteUser (for recreate) of [%s] failed: %s,
+
r-in.account_name,
+
nt_errstr(status));
+ talloc_free(tmp_ctx);
+ return status;
+ }
+
+ /* We want to recreate, so delete and another
samr_CreateUser2 */
+
+ /* cu filled in above */
+ cu_status = dcerpc_samr_CreateUser2(samr_pipe, tmp_ctx,
cu);
+ status = cu_status;
+ if (!NT_STATUS_IS_OK(status)
!NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
+ r-out.error_string = talloc_asprintf(mem_ctx,
+
samr_CreateUser2 (recreate) for [%s] failed: %s\n,
+
r-in.domain_name, nt_errstr(status));
+ talloc_free(tmp_ctx);
+ return status;
+ }
+ DEBUG(0, (Recreated account in domain %s\n,
domain_name));
+
+ }
}
/* Find out what password policy this user has */
pwp.in.user_handle = u_handle;
@@ -1093,6 +1123,7 @@
r2-in.netbios_name = netbios_name;
r2-in.level= LIBNET_JOINDOMAIN_AUTOMATIC;
r2-in.acct_type= acct_type;
+ r2-in.recreate_account = False;
status = libnet_JoinDomain(ctx, r2, r2);
if (!NT_STATUS_IS_OK(status)) {
r-out.error_string = talloc_steal(mem_ctx,
r2-out.error_string);
Modified: branches/SAMBA_4_0/source/libnet/libnet_join.h
===
--- branches/SAMBA_4_0/source/libnet/libnet_join.h 2005-10-31 03:00:36 UTC
(rev 11406)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.h 2005-10-31 03:03:32 UTC
(rev 11407)
@@ -40,6 +40,7 @@
const char *binding;
enum libnet_JoinDomain_level level;
uint32_t acct_type;
+ BOOL recreate_account;
} in;
struct {
Modified: branches/SAMBA_4_0/source/torture/rpc/testjoin.c
===
--- branches/SAMBA_4_0/source/torture/rpc/testjoin.c2005-10-31 03:00:36 UTC
(rev 11406)
+++ branches/SAMBA_4_0/source/torture/rpc/testjoin.c2005-10-31 03:03:32 UTC
(rev 11407)
@@ -319,21 +319,6 @@
libnet_r-in.recreate_account = True;
status = libnet_JoinDomain(libnet_ctx, libnet_r, libnet_r);
- if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
- struct samr_DeleteUser d;
- d.in.user_handle = libnet_r-out.user_handle;
-
svn commit: samba r11408 - in branches/SAMBA_4_0/source/ldap_server: .
Author: tridge
Date: 2005-10-31 03:05:26 + (Mon, 31 Oct 2005)
New Revision: 11408
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11408
Log:
fixed the mapping of ldb errors to ldap errors in the ldap server
Modified:
branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c
Changeset:
Modified: branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c
===
--- branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c 2005-10-31
03:03:32 UTC (rev 11407)
+++ branches/SAMBA_4_0/source/ldap_server/ldap_simple_ldb.c 2005-10-31
03:05:26 UTC (rev 11408)
@@ -35,7 +35,22 @@
}\
} while(0)
+
/*
+ map an error code from ldb to ldap
+*/
+static int sldb_map_error(struct ldapsrv_partition *partition, int ldb_ret,
+ const char **errstr)
+{
+ struct ldb_context *samdb = talloc_get_type(partition-private,
+ struct ldb_context);
+ *errstr = ldb_errstring(samdb);
+
+ /* its 1:1 for now */
+ return ldb_ret;
+}
+
+/*
connect to the sam database
*/
NTSTATUS sldb_Init(struct ldapsrv_partition *partition, struct
ldapsrv_connection *conn)
@@ -219,7 +234,7 @@
}
static NTSTATUS sldb_Add(struct ldapsrv_partition *partition, struct
ldapsrv_call *call,
-struct ldap_AddRequest *r)
+struct ldap_AddRequest *r)
{
void *local_ctx;
struct ldb_dn *dn;
@@ -293,16 +308,7 @@
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_add(samdb, msg);
- if (ldb_ret == 0) {
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an
internal ldb error
-* or if the object was not found, return the most
probable error
-*/
- result = LDAP_OPERATIONS_ERROR;
- errstr = ldb_errstring(samdb);
- }
+ result = sldb_map_error(partition, ldb_ret, errstr);
}
add_result = add_reply-msg-r.AddResponse;
@@ -345,16 +351,7 @@
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_delete(samdb, dn);
- if (ldb_ret == 0) {
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an
internal ldb error
-* or if the object was not found, return the most
probable error
-*/
- result = LDAP_NO_SUCH_OBJECT;
- errstr = ldb_errstring(samdb);
- }
+ result = sldb_map_error(partition, ldb_ret, errstr);
}
del_result = del_reply-msg-r.DelResponse;
@@ -455,16 +452,7 @@
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_modify(samdb, msg);
- if (ldb_ret == 0) {
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an
internal ldb error
-* or if the object was not found, return the most
probable error
-*/
- result = LDAP_OPERATIONS_ERROR;
- errstr = ldb_errstring(samdb);
- }
+ result = sldb_map_error(partition, ldb_ret, errstr);
}
modify_result = modify_reply-msg-r.AddResponse;
@@ -614,16 +602,7 @@
if (result == LDAP_SUCCESS) {
ldb_ret = ldb_rename(samdb, olddn, newdn);
- if (ldb_ret == 0) {
- result = LDAP_SUCCESS;
- errstr = NULL;
- } else {
- /* currently we have no way to tell if there was an
internal ldb error
-* or if the object was not found, return the most
probable error
-*/
- result = LDAP_NO_SUCH_OBJECT;
- errstr = ldb_errstring(samdb);
- }
+ result = sldb_map_error(partition, ldb_ret, errstr);
}
modifydn = modifydn_r-msg-r.ModifyDNResponse;
svn commit: samba r11410 - in branches/SAMBA_4_0/source/libnet: .
Author: abartlet
Date: 2005-10-31 03:44:29 + (Mon, 31 Oct 2005)
New Revision: 11410
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11410
Log:
Fix rejoin as a BDC by modifying, rather than trying to recreate, the
server reference.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/libnet/libnet_join.c
Changeset:
Modified: branches/SAMBA_4_0/source/libnet/libnet_join.c
===
--- branches/SAMBA_4_0/source/libnet/libnet_join.c 2005-10-31 03:06:13 UTC
(rev 11409)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.c 2005-10-31 03:44:29 UTC
(rev 11410)
@@ -26,6 +26,7 @@
#include librpc/gen_ndr/ndr_lsa.h
#include librpc/gen_ndr/ndr_drsuapi.h
#include lib/ldb/include/ldb.h
+#include lib/ldb/include/ldb_errors.h
#include libcli/cldap/cldap.h
#include include/secrets.h
#include librpc/gen_ndr/drsuapi.h
@@ -138,10 +139,44 @@
}
msg-dn = server_dn;
- msg-elements-flags = LDB_FLAG_MOD_ADD;
rtn = ldb_add(remote_ldb, msg);
- if (rtn != 0) {
+ if (rtn == LDB_ERR_ENTRY_ALREADY_EXISTS) {
+ int i;
+
+ /* make a 'modify' msg, and only for serverReference */
+ msg = ldb_msg_new(tmp_ctx);
+ if (!msg) {
+ libnet_r-out.error_string = NULL;
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ msg-dn = server_dn;
+
+ rtn = ldb_msg_add_string(msg,
serverReference,libnet_r-out.account_dn_str);
+ if (rtn != 0) {
+ libnet_r-out.error_string = NULL;
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* mark all the message elements (should be just one)
+ as LDB_FLAG_MOD_REPLACE */
+ for (i=0;imsg-num_elements;i++) {
+ msg-elements[i].flags = LDB_FLAG_MOD_REPLACE;
+ }
+
+ rtn = ldb_modify(remote_ldb, msg);
+ if (rtn != 0) {
+ libnet_r-out.error_string
+ = talloc_asprintf(libnet_r,
+ Failed to modify server
entry %s: %s: %d,
+ server_dn_str,
+ ldb_errstring(remote_ldb),
rtn);
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ } else if (rtn != 0) {
libnet_r-out.error_string
= talloc_asprintf(libnet_r,
Failed to add server entry %s: %s: %d,
svn commit: samba r11411 - in branches/SAMBA_4_0/source: nsswitch winbind
Author: abartlet
Date: 2005-10-31 04:17:51 + (Mon, 31 Oct 2005)
New Revision: 11411
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11411
Log:
Add to Samba4 the Samba3 patch I just posted for machine account
logins (changing the winbindd interface).
Clean up the wbsrv_samba3_async_epilogue() handling, as it was mixing
auth and other replies, such that all replies were having the auth
error strings set. We now do a better job of filling in the right
errors in the right places.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h
branches/SAMBA_4_0/source/winbind/wb_pam_auth.c
branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c
Changeset:
Modified: branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h
===
--- branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h 2005-10-31 03:44:29 UTC
(rev 11410)
+++ branches/SAMBA_4_0/source/nsswitch/winbindd_nss.h 2005-10-31 04:17:51 UTC
(rev 11411)
@@ -37,7 +37,7 @@
/* Update this when you change the interface. */
-#define WINBIND_INTERFACE_VERSION 11
+#define WINBIND_INTERFACE_VERSION 12
/* Socket commands */
@@ -203,6 +203,7 @@
} auth; /* pam_winbind auth module */
struct {
unsigned char chal[8];
+ uint32_t logon_parameters;
winbind_string user;
winbind_string domain;
winbind_string lm_resp;
Modified: branches/SAMBA_4_0/source/winbind/wb_pam_auth.c
===
--- branches/SAMBA_4_0/source/winbind/wb_pam_auth.c 2005-10-31 03:44:29 UTC
(rev 11410)
+++ branches/SAMBA_4_0/source/winbind/wb_pam_auth.c 2005-10-31 04:17:51 UTC
(rev 11411)
@@ -31,6 +31,7 @@
struct pam_auth_crap_state {
struct composite_context *ctx;
struct event_context *event_ctx;
+ uint32_t logon_parameters;
const char *domain_name;
const char *user_name;
const char *workstation;
@@ -51,6 +52,7 @@
static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p);
struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call,
+ uint32_t logon_parameters,
const char *domain,
const char *user,
const char *workstation,
@@ -66,6 +68,8 @@
state-event_ctx = call-event_ctx;
+ state-logon_parameters = logon_parameters;
+
state-domain_name = talloc_strdup(state, domain);
if (state-domain_name == NULL) goto failed;
@@ -112,7 +116,7 @@
state-ninfo.identity_info.account_name.string = state-user_name;
state-ninfo.identity_info.domain_name.string = state-domain_name;
- state-ninfo.identity_info.parameter_control = 0;
+ state-ninfo.identity_info.parameter_control = state-logon_parameters;
state-ninfo.identity_info.logon_id_low = 0;
state-ninfo.identity_info.logon_id_high = 0;
state-ninfo.identity_info.workstation.string = state-workstation;
@@ -242,6 +246,7 @@
}
NTSTATUS wb_cmd_pam_auth_crap(struct wbsrv_call *call,
+ uint32_t logon_parameters,
const char *domain, const char *user,
const char *workstation,
DATA_BLOB chal, DATA_BLOB nt_resp,
@@ -252,7 +257,8 @@
char **unix_username)
{
struct composite_context *c =
- wb_cmd_pam_auth_crap_send(call, domain, user, workstation,
+ wb_cmd_pam_auth_crap_send(call, logon_parameters,
+ domain, user, workstation,
chal, nt_resp, lm_resp);
return wb_cmd_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key,
lm_key, unix_username);
@@ -314,7 +320,8 @@
if (!NT_STATUS_IS_OK(status)) {
return NULL;
}
- c = wb_cmd_pam_auth_crap_send(call, domain, user, workstation,
+ c = wb_cmd_pam_auth_crap_send(call, 0 /* logon parameters */,
+ domain, user, workstation,
chal, nt_resp, lm_resp);
return c;
}
Modified: branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c
===
--- branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c 2005-10-31 03:44:29 UTC
(rev 11410)
+++ branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c 2005-10-31 04:17:51 UTC
(rev 11411)
@@ -36,19 +36,23 @@
#include lib/events/events.h
#include librpc/gen_ndr/ndr_netlogon.h
-static void
svn commit: samba r11412 - in branches/SAMBA_4_0/source/winbind: .
Author: abartlet
Date: 2005-10-31 05:45:19 + (Mon, 31 Oct 2005)
New Revision: 11412
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11412
Log:
These comments may not be much, but my eyes scan code with even
minimal comments much better (much like volker scans code of less than
80 cols better ;-)
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c
Changeset:
Modified: branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c
===
--- branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c 2005-10-31 04:17:51 UTC
(rev 11411)
+++ branches/SAMBA_4_0/source/winbind/wb_samba3_cmd.c 2005-10-31 05:45:19 UTC
(rev 11412)
@@ -36,6 +36,10 @@
#include lib/events/events.h
#include librpc/gen_ndr/ndr_netlogon.h
+/*
+ Send off the reply to an async Samba3 query, handling filling in the PAM,
NTSTATUS and string errors.
+*/
+
static void wbsrv_samba3_async_auth_epilogue(NTSTATUS status,
struct wbsrv_samba3_call *s3call)
{
@@ -60,6 +64,10 @@
}
}
+/*
+ Send of a generic reply to a Samba3 query
+*/
+
static void wbsrv_samba3_async_epilogue(NTSTATUS status,
struct wbsrv_samba3_call *s3call)
{
@@ -77,6 +85,10 @@
}
}
+/*
+ Boilerplate commands, simple queries without network traffic
+*/
+
NTSTATUS wbsrv_samba3_interface_version(struct wbsrv_samba3_call *s3call)
{
s3call-response.result = WINBINDD_OK;
@@ -124,6 +136,11 @@
return NT_STATUS_OK;
}
+/*
+ Validate that we have a working pipe to the domain controller.
+ Return any NT error found in the process
+*/
+
static void checkmachacc_recv_creds(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_check_machacc(struct wbsrv_samba3_call *s3call)
@@ -153,6 +170,11 @@
wbsrv_samba3_async_auth_epilogue(status, s3call);
}
+/*
+ Find the name of a suitable domain controller, by query on the
+ netlogon pipe to the DC.
+*/
+
static void getdcname_recv_dc(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_getdcname(struct wbsrv_samba3_call *s3call)
@@ -191,6 +213,10 @@
wbsrv_samba3_async_epilogue(status, s3call);
}
+/*
+ Lookup a user's domain groups
+*/
+
static void userdomgroups_recv_groups(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_userdomgroups(struct wbsrv_samba3_call *s3call)
@@ -255,6 +281,9 @@
wbsrv_samba3_async_epilogue(status, s3call);
}
+/*
+ Lookup the list of SIDs for a user
+*/
static void usersids_recv_sids(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_usersids(struct wbsrv_samba3_call *s3call)
@@ -328,6 +357,10 @@
wbsrv_samba3_async_epilogue(status, s3call);
}
+/*
+ Lookup a DOMAIN\\user style name, and return a SID
+*/
+
static void lookupname_recv_sid(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_lookupname(struct wbsrv_samba3_call *s3call)
@@ -370,6 +403,10 @@
wbsrv_samba3_async_epilogue(status, s3call);
}
+/*
+ Lookup a SID, and return a DOMAIN\\user style name
+*/
+
static void lookupsid_recv_name(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_lookupsid(struct wbsrv_samba3_call *s3call)
@@ -419,6 +456,16 @@
wbsrv_samba3_async_epilogue(status, s3call);
}
+/*
+ Challenge-response authentication. This interface is used by
+ ntlm_auth and the smbd auth subsystem to pass NTLM authentication
+ requests along a common pipe to the domain controller.
+
+ The return value (in the async reply) may include the 'info3'
+ (effectivly most things you would want to know about the user), or
+ the NT and LM session keys seperated.
+*/
+
static void pam_auth_crap_recv(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
@@ -491,6 +538,9 @@
wbsrv_samba3_async_auth_epilogue(status, s3call);
}
+/* Helper function: Split a domain\\user string into it's parts,
+ * because the client supplies it as one string */
+
static BOOL samba3_parse_domuser(TALLOC_CTX *mem_ctx, const char *domuser,
char **domain, char **user)
{
@@ -509,6 +559,13 @@
return ((*domain != NULL) (*user != NULL));
}
+/* Plaintext authentication
+
+ This interface is used by ntlm_auth in it's 'basic' authentication
+ mode, as well as by pam_winbind to authenticate users where we are
+ given a plaintext password.
+*/
+
static void pam_auth_recv(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_pam_auth(struct wbsrv_samba3_call *s3call)
@@ -547,6 +604,10 @@
wbsrv_samba3_async_auth_epilogue(status, s3call);
}
+/*
+ List trusted domains
+*/
+
static void list_trustdom_recv_doms(struct composite_context *ctx);
NTSTATUS wbsrv_samba3_list_trustdom(struct wbsrv_samba3_call *s3call)
svn commit: samba r11413 - in branches/SAMBA_4_0/source/winbind: .
Author: abartlet
Date: 2005-10-31 06:01:55 + (Mon, 31 Oct 2005)
New Revision: 11413
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=11413
Log:
More comments, plus always check (and update) the credentials chain,
regardless the authentication result on a particular user.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/winbind/wb_pam_auth.c
Changeset:
Modified: branches/SAMBA_4_0/source/winbind/wb_pam_auth.c
===
--- branches/SAMBA_4_0/source/winbind/wb_pam_auth.c 2005-10-31 05:45:19 UTC
(rev 11412)
+++ branches/SAMBA_4_0/source/winbind/wb_pam_auth.c 2005-10-31 06:01:55 UTC
(rev 11413)
@@ -28,6 +28,7 @@
#include smbd/service_stream.h
#include libcli/auth/credentials.h
+/* Oh, there is so much to keep an eye on when authenticating a user. Oh my!
*/
struct pam_auth_crap_state {
struct composite_context *ctx;
struct event_context *event_ctx;
@@ -51,6 +52,14 @@
void *p);
static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx, void *p);
+/* NTLM authentication.
+
+ Fill parameters into a control block to pass to the next function.
+ No application logic, this is done by the helper function paramters
+ to wb_domain_request_send()
+
+*/
+
struct composite_context *wb_cmd_pam_auth_crap_send(struct wbsrv_call *call,
uint32_t logon_parameters,
const char *domain,
@@ -104,6 +113,11 @@
return NULL;
}
+/*
+NTLM Authentication
+
+Send of a SamLogon request to authenticate a user.
+*/
static struct composite_context *crap_samlogon_send_req(struct wbsrv_domain
*domain,
void *p)
{
@@ -149,6 +163,11 @@
state, state-r);
}
+/*
+ NTLM Authentication
+
+ Check the SamLogon reply, decrypt and parse out the session keys and the
info3 structure
+*/
static NTSTATUS crap_samlogon_recv_req(struct composite_context *ctx,
void *p)
{
@@ -161,9 +180,6 @@
status = composite_netr_LogonSamLogon_recv(ctx);
if (!NT_STATUS_IS_OK(status)) return status;
- status = state-r.out.result;
- if (!NT_STATUS_IS_OK(status)) return status;
-
if ((state-r.out.return_authenticator == NULL) ||
(!creds_client_check(state-creds_state,
state-r.out.return_authenticator-cred))) {
@@ -171,6 +187,12 @@
return NT_STATUS_ACCESS_DENIED;
}
+ status = state-r.out.result;
+ if (!NT_STATUS_IS_OK(status)) return status;
+
+ /* Decrypt the session keys before we reform the info3, so the
+* person on the other end of winbindd pipe doesn't have to.
+* They won't have the encryption key anyway */
creds_decrypt_samlogon(state-creds_state,
state-r.in.validation_level,
state-r.out.validation);
@@ -180,13 +202,17 @@
state-r.out.validation.sam3,
(ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
NT_STATUS_NOT_OK_RETURN(status);
-
+
+ /* The Samba3 protocol is a bit broken (due to non-IDL
+* heritage, so for compatability we must add a non-zero 4
+* bytes to the info3 */
state-info3 = data_blob_talloc(state, NULL, tmp_blob.length+4);
NT_STATUS_HAVE_NO_MEMORY(state-info3.data);
SIVAL(state-info3.data, 0, 1);
memcpy(state-info3.data+4, tmp_blob.data, tmp_blob.length);
+ /* We actually only ask for level 3, and assume it above, but anyway...
*/
base = NULL;
switch(state-r.in.validation_level) {
case 2:
@@ -206,7 +232,9 @@
state-user_session_key = base-key;
state-lm_key = base-LMSessKey;
- /* Give the caller the most accurate username possible */
+ /* Give the caller the most accurate username possible.
+* Assists where case sensitive comparisons may be done by our
+* ntlm_auth callers */
if (base-account_name.string) {
state-user_name = base-account_name.string;
talloc_steal(state, base-account_name.string);
